When SEGs Fail: Threat Actors Abuse Docusign to Launch Sophisticated Phishing Attacks

At Abnormal Security, we’ve seen a surge in phishing campaigns exploiting Docusign, a trusted platform for electronic signatures. These attacks take advantage of Docusign’s credibility to bypass traditional email defenses, tricking recipients into sharing sensitive information or transferring money.

Despite Docusign issuing a Public Service Announcement (PSA) in late 2024 to warn users, attackers continue refining their techniques—leveraging trusted brands to carry out sophisticated phishing campaigns.

Phishing emails mimicking Docusign notifications exploit brand trust to deceive recipients. Abnormal Security has identified a few recurring tactics used in these attacks.

As you can see from the example above, these tactics include:

• Low-Context File Sharing Links: Emails often contain Docusign links with vague or no explanation of the document’s purpose.

• Unusual Senders: Attackers impersonate Docusign using email addresses with no prior interaction with recipients.

• Suspicious Financial Requests: Many emails request payment adjustments or fund transfers, actions uncommon for the recipient’s role.

• Reply-To Mismatch: Reply-To domains rarely match Docusign or the sender’s domain.

• Credential Theft: The email content is often designed to steal sensitive information like login credentials or payment details.

Legacy email security solutions, like secure email gateways (SEGs), are not equipped to detect sophisticated phishing attacks that exploit trusted platforms like Docusign. Here’s why:

• Static Rules and Whitelists: SEGs rely on static rules, keyword matching, and allowlists to filter emails. While this works for broad, easily identifiable attacks, it is ineffective against sophisticated threats that use trusted domains like Docusign to bypass defenses.
• Lack of Behavioral Analysis: SEGs do not analyze user or organizational behavior to identify anomalies. For instance, they cannot detect when an email is inconsistent with the recipient’s typical interactions or role-specific responsibilities.
• Insufficient Contextual Awareness: Traditional systems focus on email headers and authentication protocols (e.g., SPF, DKIM, and DMARC). These methods verify the domain but cannot flag misuse of legitimate accounts or platforms.

By relying on outdated approaches, SEGs create a false sense of security, leaving organizations vulnerable to advanced phishing campaigns.

Abnormal’s AI-native platform continuously learns your organization’s unique behavior patterns to detect even the most sophisticated threats. Here’s how we stopped an attack abusing Docusign:

• Behavioral Anomaly: The sender had no prior interaction with the recipient, a red flag detected by Abnormal’s models.

• Low-Context Link: The Docusign link was flagged as suspicious, correlating with patterns used in previous phishing campaigns.

• Unusual Request: The email urged a payment adjustment—an action uncommon for the recipient’s role.

• Reply-To Mismatch: The Reply-To domain differed from both Docusign and the sender’s domain, further raising suspicion.

Abnormal identified this email as malicious in real-time, removing it from the user’s inbox before it could cause harm. This underscores Abnormal’s ability to detect and neutralize threats—even those leveraging trusted platforms.

As attackers grow more sophisticated, exploiting trusted platforms like Docusign, traditional email security solutions fall behind. Protecting your organization requires a proactive, AI-powered approach capable of understanding user behavior and intent.

Discover how Abnormal Security safeguards your organization from advanced phishing attacks. Schedule a demo today!